Using Trend Micro Products for Investigation
The following highlights post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One™Trend Vision One customers benefit from attack surface risk management and XDR capabilities of the overall platform, fed by products such as Trend Micro Apex One or Trend Vision One - Endpoint Security, allowing existing customers to stay up to date on the latest information on these vulnerabilities. Leveraging the Risk Insights family of apps, customers can scan for, and identify impacted assets, and stay up to date on latest mitigation steps, including how to use Trend products to detect and defend against exploitation.
Attack Surface Risk Management (ASRM) > Executive Dashboard
An updated Zero Day Vulnerability page in the Trend Vision One Executive Dashboard has been launched to provide a lot of relevant information in one area for Trend Vision One users and will be updated as more information is released.
Trend Vision One customers may utilize Trend Micro's Vision One Detection Models to scan for potential issues.
- Open Trend Vision One and navigate to XDR THREAT INVESTIGATION > Detection Model Management.
- Select the following Detection Models:
- Potential Exploitation of Microsoft SmartScreen Detected (CVE-2024-21412)
- Exploitation of Microsoft SmartScreen Detected (CVE-2024-21412)
- Suspicious Activities Over WebDav
Search Query
In addition, Trend Vision One customers may utilize the General Search Query function in the console to do some preliminary investigation of potential exposure.
- Open Trend Vision One and navigate to XDR THREAT INVESTIGATION > Search.
- Select General for Search Method.
- Enter the following queries:
(productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND eventSubId:2 AND objectCmd:"rundll32.exe" AND objectCmd:/underwall/ AND ( objectCmd:.url OR objectCmd:.cmd) (productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND eventSubId:2 AND objectCmd:"rundll32.exe" AND objectCmd:/fxbulls/ AND ( objectCmd:.url OR objectCmd:.cmd) - Execute the search (and save for later if desired).
Observed Attack Techniques (OATs)
Another potentially useful search is to look for OATs that may have been recently spotted in the environment using some of the tools, tactics and procedures (TTPs) highlighted in Trend Micro's technical analysis blog.
- Open Trend Vision One and navigate to XDR THREAT INVESTIGATION > Observed Attack Techniques.
- Choose the appropriate filers and search parameters and conduct the search.
OSQUERY in XDR Threat Investigation > Forensics
Trend Vision One customers may also utilize the OSQUERY function as part of the Forensics toolset in Vision One to run a query on machines that may not have applied the relevant Microsoft patch:
- First a customer will have to create a Workspace and add relevant endpoints to scan. Specific information on setting this up can be found here.
- The specific SQL query that you will want to use is:
SELECT DISTINCT csname FROM patches WHERE csname NOT IN ( SELECT DISTINCT csname FROM patches WHERE hotfix_id IN ( 'KB5034768', 'KB5034763', 'KB5034766', 'KB5034770', 'KB5034769', 'KB5034765' ) ) AND hotfix_id IS NOT NULL;
Trend Micro Protection and Detection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor's patches when they become available. Microsoft has released some updated patches as part of the February 2024 Patch Tuesday set of critical updates.
As an original submission of the exploit was through the Trend Micro Zero Day Initiative, based on our analysis of the exploit information, Trend Micro can share that we have some detection rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One - Network Security & TippingPoint Filters
- 43700: HTTP: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability
- 43701: ZDI-CAN-23100: Zero Day Initiative Vulnerability (Microsoft Windows SmartScreen)
- 43266: TCP: Backdoor.Win32.DarkMe.A Runtime Detection
- 1011949 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2024-21412)
- 1011950 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability Over SMB (CVE-2024-21412)
- 1011119 - Disallow Download Of Restricted File Formats (ATT&CK T1105)
- 1004294 - Identified Microsoft Windows Shortcut File Over WebDav
- 1005269 - Identified Download Of DLL File Over WebDAV (ATT&CK T1574.002)
- 1006014 - Identified Microsoft BAT And CMD Files Over WebDAV
Trend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) Rules
- 4983: Microsoft Windows SmartScreen Exploit(ZDI-CAN-23100) - HTTP(Response)
Trend Micro Worry-Free Business Security Services (WFBSS) Vulnerability Protection IPS Rules
- 1011949 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2024-21412)
- 1011950 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability Over SMB (CVE-2024-21412)
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)
In addition to the proactive exploit protection listed above, Trend Micro endpoint, server, mail & gateway solutions also detect and protect against components of the DarkMe malware that have been observed in attacks in the wild. Detections of these components include:
- DarkMe Downloader and Loader: Trojan.Win32.DARKME.A
- Other exploit components are detected as Trojan.HTML.CVE202421412.A and Trojan.Win32.CVE202421412.A
Trend Micro will continue to monitor and update this article as new information becomes available.